from the foot-in-the-door-for-greater-government-control-of-web-content dept

The US government would like to be involved in the web censorship business. The anti-sex trafficking bill recently passed by the House would do just that, forcing service providers to pre-censor possibly harmless content out of fear of being sued for the criminal acts of private citizens. Much has been made recently of "fake news" and its distribution via Russian bots, with some suggesting legislation is the answer to a problem no one seems to be able to define. This too would be a form of censorship, forcing social media platforms to make snap decisions about new users and terminate accounts that seem too automated or too willing to distribute content Congressional reps feel is "fake."

For the most part, legislation isn't in the making. Instead, reps are hoping to shame, nudge, and coerce tech companies into self-censorship. This keeps the government's hands clean, but there's always the threat of a legal mandate backing legislators' suggestions.

Key critic of Russian bots and social media companies in general -- Senator Dianne Feinstein -- has signed a handful of letters asking four major tech companies to start censoring drug-related material. Her co-signers on these ridiculous letters are Chuck Grassley, Amy Klobuchar, John Kennedy, and Sheldon Whitehouse. As members of the Senate Caucus on International Narcotic Control, they apparently believe Microsoft, Yahoo (lol), Pinterest, and Google should start preventing users for searching for drug information. (h/t Tom Angell)

The letters [PDFs here: Google, Yahoo, Microsoft, Pinterest] all discuss the search results returned when people search for information on buying drugs. (For instance, "buy percocet online.") But the letter doesn't limit itself to asking these companies to ensure only legitimate sites show up in the search results. It actually asks the companies to censor all results for drug information.

The senators specifically urge Google, Microsoft, Yahoo and Pinterest to take the following steps in helping us fight the opioid crisis:

Directing users to legal and legitimate pharmacies that require a valid prescription as a condition of sale when users search for medicines on each platforms;

Disabling the ability to search for illicit drugs through each platform;

Requiring each platform to report to law enforcement when that platform receives information indicating that a company wants to advertise the use of or sale of illicit narcotics;

Establishing a 24/7 telephone point of contact with whom law enforcement can communicate directly; and

Incorporating training for each platform’s security reviewers to enable them to better recognize these threats when they first arise.

It's the second bullet point that's key. It simply says "disable the ability to search for illicit drugs." There's no way to comply with that directive that won't result in the disappearance of useful information needed by thousands of search engine users. As Angell points out in this tweet, this would possibly cause information about drug interactions to be delisted. On top of that, students often need to research illegal drugs for class assignments and term papers. Authors and journalists also need access to a variety of drug info, including various ways they can be purchased online. Law enforcement Googles stuff just like the rest of us and its ability to track down purveyors of illegal drugs would be harmed if it was all pushed off the open web.

Those seeking to buy illegal drugs would find other ways of accomplishing this even if the info disappears. The so-called dark web is an off-the-radar option that many are using already. A whole host of useful info is in danger of being removed simply because questionable purveyors of prescription drugs have found a way to game search engine algorithms.

All of the companies receiving letters already have policies in place to restrict the illicit sale of drugs. They also have policies in place to forward pertinent info to law enforcement agencies. So, companies are already doing much of what is asked, but these senators feel the mere existence of questionable sites in search results makes these companies "facilitators" of illegal drug sales.

If SESTA is signed into law, it will make it that much easier for the government to demand similar legislation targeting opioid distribution. It will allow the government to claw back more of the immunity granted to service providers with the passage of the Communications Decency Act. The more holes drilled into Section 230 by legislation, the easier it is to remove it entirely, and paint targets on the back of search engines and social media platforms.

It's also dangerous to suggest companies need to set up dedicated 24/7 service for law enforcement agencies. This will only encourage law enforcement to bypass legal protections set up by previous legislation and lean on companies already feeling the heat from the government's increasingly-insane reaction to opioid overdoses. Warrants will seem unnecessary when legislators in DC are saying tech companies must be more responsive to law enforcement than they already are.

A suggestion from the government to start censoring search results is exactly that: censorship. The government may not be mandating it, but this is nothing like a concerned citizens group asking for more policing of search results. There's the threat of legislation and other government action propelling it. Even if these senators aren't mandating policy changes, they're still using the weight of their position to compel alteration of search results.

from the mind-if-we-take-a-look-around,-they-asked-never dept

In a recent ruling in a child porn investigation case, a judge declared that the FBI's Network Investigative Technique (NIT) -- which sent identifying user info from the suspect's computer to the FBI -- was the equivalent of a passing cop peering through broken blinds into a house.

[I]n Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home's closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer's observation did not violate the respondents' Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the "precautions that the apartment's dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing" where the police officer stood.

What would normally be awarded an expectation of privacy under the Fourth Amendment becomes subject to the "plain view" warrant exception. If a passerby could see into the house via the broken blinds, there's nothing to prevent law enforcement from enjoying the same view -- and acting on it with a warrantless search.

Of course, in this analogy, the NIT -- sent from an FBI-controlled server to unsuspecting users' computers -- is the equivalent of a law enforcement officer first entering the house to break the blinds and then claiming he saw something through the busted slats.

Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act in May, which (among other things) amends the portion of federal law (18 U.S.C. § 1345) that authorizes these injunctions. The bill would expand § 1345 by adding violations of a section of the Computer Fraud and Abuse Act (“CFAA”) that covers botnets (and more) to the list of offenses that trigger the DOJ’s ability to get an injunction.

More specifically, it would allow injunctions in all violations or attempted violations of subsection (a)(5) of the CFAA that result or could result in damage to 100 or more computers in a year, including any case involving the “impair[ment of] the availability or integrity of the protected computers without authorization,” or the “install[ation] or maintain[nance of] control over malicious software on the protected computers” that “caused or would cause damage” to the protected computers.

It only sounds like a good idea: the government riding to the rescue of unaware computer users whose devices have been pressed into service by malware purveyors and criminals. But, as Gabe Rottman of CDT points out, there's some vague wording in the existing law that would undercut important Fourth Amendment protections when used in conjunction with the DOJ's botnet-fighting powers.

Buried deep within § 1345(b) is a single phrase that could open up a number of thorny issues when this injunctive authority is applied to botnets. The section not only allows the government to obtain a restraining order that stops someone from doing something nefarious, but also an order that directs someone to “take such other action, as is warranted to prevent a continuing and substantial injury . . . .”'

Rottman points to the FBI's 2011 shutdown of the Coreflood botnet. After obtaining a restraining order under the federal rule, the FBI used its own server to issue commands to infected computers, halting further spread of the malware and shutting down the software on infected host devices. Again, this seems like a good use of the government's resources until you take a closer look at what's actually happening when the FBI does this sort of thing.

The court hearing the Coreflood case accepted the government’s argument that the “community caretaker” doctrine allowed the transmission of the shutdown order, as the action was “totally divorced from the detection, investigation, or acquisition of evidence relating to the violation of a criminal statute.” At the time, the government likened its actions to a police officer who, while responding to a break-in, finds the door to a house open or ajar and then closes it to secure the premises.

The "community caretaker" function is one exception to warrant requirements. Accessing peoples' computers without their permission under these auspices allows the FBI to avail itself of a second warrant exception.

In order to scrub private computers for malware, the government would, by necessity, have to search the computer and its contents for the malware. Once the door is ajar, rather than closing it, the police would actually “walk in” to the computer. And anything they find in “plain view” can be used as evidence of a crime. Nothing in the current version of the bill would prevent such a search or collection, giving the government the potential means to search countless computers of victims of the botnet (not the perpetrators) without a warrant.

While these are both valid exceptions to warrant requirements, they've never been deployed on this sort of scale. Officers can perform community caretaker functions that may result in contraband being discovered in plain view. When the FBI takes on a botnet, however, it will have access to potentially thousands of computers at a time and the legislated permission to not only "enter" these computers, but to take a look around at the contents.

The Fourth Amendment was put into place to end the practice of general warrants. The FBI's botnet-fighting efforts turn court-ordered injunctions into digital general warrants, only without the pesky "warrant" part of the phrase. And, unlike other warrants, the proposed legislation would do away with another Fourth Amendment nicety: notification.

As CDT noted in its comments on the Rule 41 change mentioned above, potentially as many as a third of computers in the United States are infected with some form of malware. And, botnets are extremely hard to clean up, especially when you depend on victims to voluntarily submit their computers for cleaning. Given this reality, unless notice is required by statute, law enforcement would have an incentive to dispense with notice in the much wider array of shutdowns permitted under the Graham-Whitehouse bill.

The bill has only been introduced and there's no forward motion as of yet. It's in need of serious repair before it heads further up the legislative chain. As it's written, there's nothing standing between people's personal files and a host of digital officers wandering through virtual houses in search of malware and searching/seizing anything else that catches their eye.

from the questions-to-ask dept

Last week, we noted that Senator Sheldon Whitehouse (who has a bit of a history of really flubbing key tech issues), was downright angry that people were pushing back on his plans to expand the possible punishment under the widely abused Computer Fraud and Abuse Act (CFAA). Whitehouse pulled out the usual tropes, saying that the DOJ supports his amendment, and he couldn't understand why anyone could possibly be against ratcheting up punishment for "cyber criminals." Except, that shows an astounding level of ignorance on the part of Senator Whitehouse, because the CFAA is regularly used against people who most would not consider to be traditional "cyber criminals."

A group of activist organizations recently sent Senator Whitehouse a letter protesting his CFAA Amendment, and noting that while he thinks it's just being used against nefarious computer hackers, that's not the case. The CFAA is regularly used against plenty of others as well, including some people that Senator Whitehouse might even support. For example, the letter points to a case from a few years ago, Pulte Homes v. Laborers' International Union, in which the 6th Circuit decided that a union telling its members to call and email a company they were protesting violated the civil portion of the CFAA. The case involved the union telling its members to call and email Pulte Homes, which apparently slowed down their computer systems, and the court ruled that was enough "intentional damage" to qualify as a CFAA violation:

The following allegations illustrate LIUNA’s objective to
cause damage: (1) LIUNA instructed its members to send thousands of e-mails to three
specific Pulte executives; (2) many of these e-mails came from LIUNA’s server;
(3) LIUNA encouraged its members to “fight back” after Pulte terminated several
employees; (4) LIUNA used an auto-dialing service to generate a high volume of calls;
and (5) some of the messages included threats and obscenity. And although Pulte
appears to use an idiosyncratic e-mail system, it is plausible LIUNA understood the
likely effects of its actions—that sending transmissions at such an incredible volume
would slow down Pulte’s computer operations. LIUNA’s rhetoric of “fighting back,”
in particular, suggests that such a slow-down was at least one of its objectives. The
complaint thus sufficiently alleges that LIUNA—motivated by its anger about Pulte’s
labor practices—intended to hurt Pulte’s business by damaging its computer systems.

This seems notable, because sending lots of calls and emails is a pretty standard activist/protest mechanism, used all the time. The idea that it might be considered a CFAA violation is immensely troubling. And it should be doubly so for Senator Whitehouse, given that he's received tremendous support from unions in the past. According to Open Secrets, two of his largest funders are the Service Employees International Union and the Teamsters. He's also received lots of money from Ocean Champions, an activist group focused on protecting our oceans. And, yet, at the same time, he seems to be ratcheting up a law that might be used against some of their activism. Meanwhile, his PAC has received lots of support from unions as well, including the Sheet Metal Workers Union and the International Brotherhood of Electrical Workers.

As the letter from the activist groups note:

No
government
that
respects
the
public's
right
to
speak
and
organize
should
ban
such
behavior,
yet
that
is
precisely
what
the
CFAA
has
been
interpreted
to
do.
That
activists
must
work
under
fear
of
such
exposure
redounds
to
the
benefit
of
corporations
that
are
exploitative
of
their
workers,
polluters,
and
others
who
stand
opposed
to
our
shared
progressive
values.

The letter further notes that one of the key parts of Senator Whitehouse's amendment, about "botnets," will almost certainly be used against online activists, who seek to bring a bunch of internet users together to speak out. Given the way Senator Whitehouse reacted last week, it seems unfortunately likely that this letter will fall on deaf ears. But it's important to recognize that just because you claim a law will be used against "cyber criminals" doesn't mean that it won't be used to stifle things like activism that you might actually support.

from the the-pro-botnet-lobby-is-here dept

As we mentioned yesterday, one of the (many) bad things involved in the new Senate attempt to push the CISA "cybersecurity" bill forward was that they were including a bad amendment added by Senator Sheldon Whitehouse that would expand the terrible Computer Fraud and Abuse Act, a law that should actually be significantly cut back. Senator Ron Wyden protested this amendment specifically in his speech against CISA. And, for whatever reason, Whitehouse's amendment has been pulled from consideration and Whitehouse is seriously pissed off about it.

He went on the Senate floor to directly whine about it, even sarcastically calling out the "hidden pro-botnet, pro-foreign cyber criminal caucus" that somehow fought against the bill. Except it wasn't a "pro-botnet" anyone who killed the amendment. It was a lot of people who were quite reasonably concerned about what the amendment would do to the CFAA. And while it's true that Whitehouse improved the amendment from its originally really terrible state, it still was a bad amendment. Whitehouse goes on and on in has rant about who could possibly be "against" shutting down botnets or raising penalties for hacking into critical infrastructure, citing that "law enforcement" supports the bill. But, of course, that leaves out the other side entirely. And that's not the "pro-botnet, pro-foreign cyber criminal" caucus, but rather people who are well aware of how the CFAA has regularly been abused by law enforcement to bring charges against non-criminals, or to pile on charges on those committing minor offenses. Expanding all of that without stopping the potential for abuse only means the bill will be abused further.

Whitehouse continues to make a name for himself as one of the most technologically illiterate members of the Senate. Late last year he went on a rant about a totally made up Google search (the results did not show what he claimed they showed) and an equally made up Pirate Bay whose actual site did not show what Whitehouse pretended it showed. He also was strongly in favor of backdooring encryption, arguing that if Apple doesn't backdoor encryption, perhaps it will be opening itself up to a lawsuit when the FBI can't track down a kidnapper (ignoring all the times that such encryption would actually protect people). This push to expand the CFAA and then whining about pushback on the Senate floor is only adding to his reputation as one of the most anti-tech industry Senators out there.

And, of course, for all the show on the floor, it's not like the Amendment is dead anyway. As Marcey Wheeler notes in her post (linked above), there's still a good chance that his CFAA amendment will be brought back into the bill when the House and Senate conference to resolve differences in the bills across houses.

from the what-are-they-thinking? dept

Despite the fact that most of the internet industry has recently come out against the ridiculous faux-cybersecurity bill CISA, the Senate today began the process of moving the bill forward with a debate. The arguments were pretty much what you'd expect. The supporters of the bill, such as Senators Dianne Feinstein and Richard Burr, went on and on about how the bill is "voluntary" and about various online hacks (none of which would have been stopped by CISA -- but apparently those details don't matter). Senator Ron Wyden responded by pointing to all the internet companies coming out against the bill, and saying (accurately) that they're doing so because they know the public no longer trusts many of those companies, and they don't want a bill that will almost certainly be used for further surveillance efforts.

Amazingly, Burr shot back with a really dishonest and misleading claim that companies that don't agree to "share" information with the government are the ones harming their users by somehow not protecting their info. That's fairly incredible. The reason that companies don't want to share info is because no one -- the companies or the public -- trust the government to not abuse the information. To turn that around and pretend that sharing the info with the government is likely to better protect user information is laughable.

The fact that the internet companies have finally come out against CISA is a really big deal. For the past few years, they've remained pretty quiet on it and related bills, because it would have granted them immunity from liability for participating in the program. So, for the tech companies, it was tough to argue against the bill, since it just protected them from legal liability. Yet, in the last few weeks, many internet companies and industry associations have (finally) spoken out against the bill, noting that it actually puts their users' privacy at risk. This also helps highlight how the claim that this is all "voluntary" is a myth, and the companies recognize that they will likely be pressured into sharing information.

Meanwhile, a bunch of amendments have been introduced along with CISA... including an absolutely terrible amendment introduced by Senator Sheldon Whitehouse that would revamp an unrelated bill, the infamous CFAA, which needs to be reformed. Except that the Whitehouse amendment makes the CFAA worse, not better.

There's still plenty of process to occur, but the ball is now rolling. There will likely be some fights and votes in the next few days, but if you don't think CISA (or this horrible CFAA amendment) should pass, now would be a good time to call your two Senators and let them know to oppose this.

from the this-is-wrong dept

A few weeks ago, we pointed out that Senator Sheldon Whitehouse led the way with perhaps the most ridiculous statement of any Senator (and there were a lot of crazy statements) in the debate over encryption and the FBI's exaggerated fear of "going dark." He argued that if the police couldn't find a missing girl (using a hypothetical that not only didn't make any sense, but which also was entirely unlikely to ever happen), then perhaps Apple could face some civil liability for not allowing the government to spy on your data. Here's what he said:

It strikes me that one of the balances that we have in these circumstances, where a company may wish to privatize value -- by saying "gosh, we're secure now, we got a really good product, you're gonna love it" -- that's to their benefit. But for the family of the girl that disappeared in the van, that's a pretty big cost. And, when we see corporations privatizing value and socializing costs, so that other people have to bear the cost, one of the ways that we get back to that and try to put some balance into it, is through the civil courts. Through the liability system. If you're a polluter and you're dumping poisonous waste into the water rather than treating it properly somebody downstream can bring an action and can get damages for the harm they sustained, can get an order telling you to knock it off.

You can read our longer analysis of how wrong this is, but in short: encryption is not pollution. Pollution is a negative externality. Encryption is the opposite of that. It's a tool that better protects the public in the vast majority of cases. That's why Apple is making it so standard.

The suggestion was so ridiculous and so wrong that we were surprised that famed NSA apologist Ben Wittes of the Brookings Institute found Whitehouse's nonsensical rant "interesting" and worthy of consideration. While we disagree with Wittes on nearly everything, we thought at the very least common sense would have to eventually reach him, leading him to recognize that absolutely nothing Whitehouse said made any sense (then again, this is the same Wittes who seems to have joined the magic unicorn/golden key brigade -- so I'm beginning to doubt my initial assessment that Wittes is well-informed but just comes to bad conclusions).

However, even with Wittes finding Whitehouse's insane suggestion "interesting," it's still rather surprising to see him find it worthy of a multi-part detailed legal analysis for which he brought in a Harvard Law student, Zoe Bedell, to help. In the first analysis, they take a modified form of Whitehouse's hypothetical (after even they admit that his version doesn't actually make any sense), but still come to the conclusion that the company "could" face civil liability. Though, at least they admit plaintiffs would "not have an easy case."

The first challenge for plaintiffs will be to establish that Apple even had a duty, or an obligation, to take steps to prevent their products from being used in an attack in the first place. Plaintiffs might first argue that Apple actually already has a statutory duty to provide communications to government under a variety of laws. While Apple has no express statutory obligation to maintain the ability to provide decrypted information to the FBI, plaintiffs could argue that legal obligations it clearly does have would be meaningless if the communications remained encrypted.

To make this possible, Bedell and Wittes try to read into various wiretapping and surveillance laws a non-existent duty to decrypt information from your mobile phone. But that's clearly not true. If that actually existed, then we wouldn't be having this debate right now in the first place, and FBI Director James Comey wouldn't be talking to Congress about changing the law to require such things. But, still, they hope that maybe, just maybe, a court would create such a duty out of thin air based on things like "the foreseeability of the harm." Except, that's going to fall flat on its face, because the likelihood of harm here goes the other way. Not encrypting your information leads to a much, much, much greater probability of harm than encrypting your data and not allowing law enforcement to see it.

Going to even more ridiculous levels than the "pollution" argument, this article compares Apple encrypting your data to the potential liability of the guy who taught the Columbine shooters how to use their guns:

For example, after the Columbine shooting, the parents of a victim sued the retailer who sold the shooters one of their shotguns and even taught the shooters how to saw down the gun’s barrel. In refusing to dismiss the case, the court stated that “[t]he intervening or superseding act of a third party, . . . including a third-party's intentionally tortious or criminal conduct[,] does not absolve a defendant from responsibility if the third-party's conduct is reasonably and generally foreseeable.” The facts were different here in some respects—the Columbine shooters were under-age, and notably, they bought their supplies in person, rather than online. But that does not explain how two federal district courts in Colorado ended up selecting and applying two different standards for evaluating the defendant's duty.

But it's even more different than that. Even with this standard -- which many disagree with -- there still needs to be "conduct" that is "reasonably and generally foreseeable." And that's not the case here that it is "reasonably and generally foreseeable" that because data is encrypted that people will be at more risk. In all these years, the FBI still can't come up with a single example where such encryption was a real problem. It would be basically impossible to argue that this is a foreseeable "problem," especially when weighed against the very real and very present problem of people trying to hack into your device and get your data.

In the second in the series, Bedell and Wittes go even further in looking at whether or not Apple could be found to have provided material support to terrorists thanks to encryption. If this sounds vaguely familiar, remember a similarly ridiculous claim not to long ago from a music industry lawyer and a DOJ official that YouTube and Twitter could be charged with material support for terrorism because ISIS used both platforms.

Bedell and Wittes concoct a scenario in which a court might argue that providing a phone that can encrypt a terrorist's data, opens the company up to liability:

In our scenario, a plaintiff might argue that the material support was either the provision of the cell phone itself, or the provision of the encrypted messaging services that are native on it. Thus, if a jury could find that providing terrorists with encrypted communications services is just asking for trouble, then plaintiffs would have satisfied the first element of the definition of international terrorism in § 2331, a necessary step for making a case for liability under § 2333.

Of course, this is wiped out pretty quickly because that law requires intent. The authors note that this would "pose a challenge" to any plaintiff "as it would appear to be difficult, if not impossible, to prove that Apple intended to intimidate civilians or threaten governments by selling someone an iPhone..."

You think?

But, our intrepid NSA apologists still dig deeper to see if they can come up with a legal theory that will actually work:

But again, courts have handled this question in ways that make it feasible for a plaintiff to succeed on this point against Apple. For example, when the judge presiding over the Arab Bank case considered and denied the bank’s motion to dismiss, he shifted the analysis of intimidation and coercion (as well as the question of the violent act and the broken criminal law) from the defendant in the case to the group receiving the assistance. The question for the jury was thus whether the bank was secondarily, rather than primarily, liable for the injuries. The issue was not whether Arab Bank was trying to intimidate civilians or threaten governments. It was whether Hamas was trying to do this, and whether Arab Bank was knowingly helping Hamas.

Judge Posner’s opinion in Boim takes a different route to the same result. Instead of requiring a demonstration of actual intent to coerce or intimidate civilians or a government, Judge Posner essentially permits the inference that when terrorist attacks are a “foreseeable consequence” of providing support, an organization or individual knowingly providing that support can be understood to have intended those consequences. Because Judge Posner concludes that Congress created an intentional tort, § 2333 in his reading requires the plaintiff to prove that the defendant knew it was supporting a terrorist or terrorist organization, or at least that it was deliberately indifferent to that fact. In other words, the terrorist attack must be a foreseeable consequence of the specific act of support, rather than just a general risk of providing a good or service.

But even under those standards, it's hard to see how Apple could possibly be liable for material support. It's just selling an iPhone and doing so in a way that -- for the vast majority of its customers -- is better protecting their privacy and data. It would take an extremely twisted mind and argument to turn that into somehow "knowingly" helping terrorists or creating a "foreseeable consequence." At least the authors admit that much.

But why stop there? They then say that Apple could still be liable after the government asks them to decrypt messages. If Apple doesn't magically stop the user in particular from encrypting messages, then, they claim, Apple could be shown to be "knowingly" supporting terrorism.

The trouble for Apple is that our story does not end with the sale of the phone to the person who turns out later to be an ISIS recruit. There is an intermediate step in the story, a step at which Apple’s knowledge dramatically increases, and its conduct arguably comes to look much more like that of someone who—as Posner explains—is recklessly indifferent to the consequences of his actions and thus carries liability for the foreseeable consequences of the aid he gives a bad guy.

That is the point at which the government serves Apple with a warrant—either a Title III warrant or a FISA warrant. In either case, the warrant is issued by a judge and puts Apple on notice that there is probable cause to believe the individual under investigation is engaged in criminal activity or activity of interest for national security reasons and is using Apple’s services and products to help further his aims. Apple, quite reasonably given its technical architecture, informs the FBI at this point that it cannot comply in any useful way with the warrant as to communications content. It can only provide the metadata associated with the communications. But it continues to provide service to the individual in question.

But all of this, once again, assumes an impossibility: that once out of its hands, Apple can somehow stop the end user from using the encryption on their phone.

This is the mother of all stretches in terms of legal theories. And, throughout it all, neither Bedell nor Wittes even seems to recognize that stronger encryption protects the end user. It's like it doesn't even enter their minds that there's a reason why Apple is providing encryption that isn't "to help people hide from the government." It's not about government snooping. It's about anyone snooping. The other cases they cite are not like that at all. These arguments, even as thin as they are, only make sense if Apple's move to encryption doesn't really have widespread value for basically the entire population. You don't sue Toyota for "material support for terrorism" just because a terrorist uses a Toyota to make a car bomb. Yet, Wittes and Bedell are somehow trying to make the argument that Apple is liable for better protecting you, just because in some instances it might also help "bad" people. That's a ridiculous legal theory that barely deserves to be laughed at, let alone a multi-part analysis of how it "might work."

from the these-people-are-in-charge? dept

We already wrote a bit about the two Senate hearings that FBI Director James Comey participated in yesterday, concerning his alleged desire to have a "discussion" about the appropriateness of backdooring encryption. The phrase tossed around at the hearings was about the FBI's fear of "going dark" in trying to track down all sorts of hypothetical bad guys (and it always was hypothetical, since no actual examples were given). However, not all of the crazy statements came from Comey. There was plenty of nuttiness from Senators as well. It is, of course, difficult to pick out the most ridiculous, so here are two that stood out to me, personally. And, to avoid any charges of bias, I'll include one from each hearing and one from a Democrat and one from a Republican.

Let's start with the first hearing, the one before the Senate Judiciary Committee, where Senator Sheldon Whitehouse decides to add his bizarrely ignorant statements (starting around 1 hour, 18 minutes into the recording). Whitehouse starts out with a hypothetical (again!) story of a girl being kidnapped outside of her home ("taken into a van"), but having her phone left inside. He claims that in the past, law enforcement could get a warrant for the phone "to help locate the girl." And now "they cannot do that." This hypothetical makes no sense for a variety of reasons. First, the number of actual abductions like that is pretty rare. But, more importantly, if the phone is at home then it's not exactly going to help law enforcement locate her any more. He's mixing up a variety of different things involving location versus stored data encryption. It's just a scare story that has little to do with the issue of stored data encryption, which is what the hearing is supposed to be about.

But, from there, he goes on to make an even more bizarre statement, claiming that companies pushing encryption are doing so solely for their own corporate benefit, creating harm for the public. In fact, he compares encryption to pollution, and then argues that there could be civil liability because encrypted phones make it difficult to find hypothetical kidnapped girls:

It strikes me that one of the balances that we have in these circumstances, where a company may wish to privatize value -- by saying "gosh, we're secure now, we got a really good product, you're gonna love it" -- that's to their benefit. But for the family of the girl that disappeared in the van, that's a pretty big cost. And, when we see corporations privatizing value and socializing costs, so that other people have to bear the cost, one of the ways that we get back to that and try to put some balance into it, is through the civil courts. Through the liability system. If you're a polluter and you're dumping poisonous waste into the water rather than treating it properly somebody downstream can bring an action and can get damages for the harm they sustained, can get an order telling you to knock it off.

This appears to be a thing that Senator Sheldon Whitehouse does. He makes up ridiculous hypotheticals of situations that aren't happening and then jumps to flat out wrong arguments based on those hypotheticals.

Here, he's just wrong that companies employing encryption are "privatizing value and socializing costs." In fact, as many, many, many people will argue, companies that are putting in place end-to-end encryption actually can make it more difficult for them to make money, since they close off avenues such as targeted advertising, since they lose access to the information being transmitted. But, even more to the point, this entire argument is based on the simply wrong (and completely ignorant) argument that the there's a "cost" to the public of greater encryption. That's not just wrong, it's so wrong as it should call into question the career choices of whatever clueless staffer fed that line to Senator Whitehouse. The whole crux of the argument, as has been explained over and over again, is that greater encryption better protects the public from cyberattacks, from those seeking to violate their privacy and from other potential malicious actors.

In other words, the actual scenario that Whitehouse should be concerned about is not the mythical girl being abducted into a van (again, a scenario that rarely happens), but the malicious online actors who are seeking to break into the girl's bank account or other online accounts in order to cause all sorts of actual problems for her in real life. That's the much more likely threat, and it's the one that strong encryption helps protect. The whole idea that strong encryption is the equivalent of pollution is hilariously wrong. Pollution is a negative externality. But strong encryption is not a negative externality. It better protects the public. It's a public benefit.

Senator Whitehouse's argument is based on a near total misunderstanding of what encryption does and how it protects people, and is devoid of any understanding of actual threats that people face in the world -- both the low likelihood of random abduction and the high likelihood of having your online accounts under attack. It's so far from reality that it feels like Senator Whitehouse ought to issue an apology.

On to the second hearing before the Intelligence Committee. In this case, the Senator we'll pick on is Senator John McCain. His part starts a little after the 1 hour and 15 minute mark into that video. And he's focused on the worst kind of political grandstanding, hyping up FUD around ISIS, followed by a "but we must do something!" argument that ignores the simple fact that the plan he supports actually makes the problem worse, not better. As you'll see, Senator McCain doesn't care about that. He just wants something done. This one involves some back and forth with Comey, starting with the scare stories to start things out:

McCain: Is it true that, you have stated on several occasions, that ISIS poses over time a direct threat to the United States of America?

Comey: Yes.

McCain: And that is the case today?

Comey:: Yes. Everyday they're trying to motivate people here to kill people on their behalf.

McCain: And every day that they take advantage of this use of the internet, which you have described by going to unbreakable methods of communicating, the more people are recruited and motivated to, here in the United States and other countries to attack the United States of America. Is that true.

Comey: Yes sir.

Okay, let's just cut in here first of all to note that it's not actually true. I mean, it's possible that this is happening, but there still has yet to be a single credible story about ISIS successfully "recruiting" people in the US to perform an attack in the US. All of the ISIS "arrests" so far have been part of the FBI's own plots, where it's an FBI informant doing the "recruiting and motivating."

McCain: So this is not a static situation. This is a growing problem, as ISIS makes very effective use of the internet. Is that correct?

Comey: That's correct sir.

McCain: So with all due respect to your opening comments, this is more than a conversation that's needed. It's action that's needed. And, isn't it true that, over time, the ability of us to respond is diminished as the threat grows and we maintain the status quo?

Comey: I think that's fair.

Actually, it's not fair. It's wrong. I mean, it depends on what kind of "action" we're talking about -- but since the entire hearing focused on backdooring encryption, it's difficult to argue that the "ability to respond diminishes" over time because any plan to backdoor encryption wouldn't be an actual response that matters. ISIS would quickly just switch to encrypted systems that aren't backdoored by the US government, and there are plenty to choose from.

McCain: So, we're now -- and I've heard my colleagues, with all due respect talking about attacks on privacy and our Constitutional rights etcetera -- but it seems to me that our first obligation is the protection of our citizenry against attack. which you agree is growing. Is that a fact?

Comey: I agree that is our first responsibility. But I also...

McCain: So the status quo is not acceptable if we support the assertion that our duty is to protect the lives and property of our fellow citizenry. That is our first priority. You agree with that?

Okay, first off, you should really watch this point to see the dismissive way he shrugs off the part about "privacy" and "our Constitutional rights etcetera." It's really quite disturbing, frankly. And that's because the next line is just wrong. The Oath of Office given to Senators is that they will "support and defend the Constitution of the United States against all enemies, foreign and domestic." It does not say anywhere that they are to "protect our citizenry against attack." And it especially does not say that the role of a Senator is to protect the citizenry from attack over protecting the Constitution. It says the exact opposite. It says that his sole job is to protect the Constitution.

That a Senator who has been in office as long as McCain is flat out ignoring the Oath he's taken many times, and actually arguing for a policy that he is admitting violates that oath is somewhat stunning. He is flat out saying, in violation of his oath, that his job is to undermine the Constitution if he believes it will protect the American people from attack.

And, just to highlight how incredibly stupid this statement is, pushing for backdoors on encryption doesn't even do what he thinks it does. It actually makes Americans more open to attack by making their digital information less safe and secure. So even if we took McCain's argument at face value and ignored that it's directly in contrast to his oath of office, he's still wrong, because he's putting more Americans at risk, rather than "protecting" them.

As for Comey agreeing that this is a first priority, he's wrong about that too. Some might think that is the first priority for the FBI, even if it isn't for Congress, but it's not. The FBI's oath is also to "support and defend the Constitution against all enemies, foreign and domestic."

McCain then drags out a bunch of leading questions in which he continues to try to make it out like "something must be done to stop this nasty encryption" stuff, getting Comey to (mostly) agree, even to completely bogus statements.

Comey: I agree that this is something that we have to figure out what to do about.

McCain: So now we have a situation where the major corporations are not cooperating and saying that if we give the government access to their internet, that somehow, it will compromise their ability to do business. Is that correct also?

Comey: (Shakes his head back and forth in a way suggesting he disagrees, but then says): That's a fair summary of what some have said.

McCain: So we're discussing a situation in which the US government -- i.e., law enforcement and the intelligence community -- lack the capability to do that which they have the authority to do. Is that correct?

Comey: Certainly with respect to the interception of encrypted communications and accessing locked devices, yes.

McCain: So we're now in an interesting situation where your obligation is to defend the country, and at the same time, you're unable to do so, because these telecommunications... these organizations are saying that you can't, and are devising methodology that prevents you from doing so, if it's the single key, only used by the user. Is that correct?

Comey: I wouldn't agree, Senator, that I'm unable to discharge my duty to protect the country. We're doing it every single day using all kinds of tools...

McCain: Are you able to have access to those systems that only have one key?

Comey: No, we can't break strong encryption.

McCain: So, you can't break it. And that is a mechanism which is installed by the manufacturer prevent you [sic] from using... that there's only one key that is available to them... to you.

Comey: That's correct.

Now, to his very slight credit, after this misleading back and forth, Comey eventually plays a slight devil's advocate here, and at least attempts to channel the views of all of those computer security experts who have pointed out that backdooring encryption makes people less safe.

McCain: So suppose that we had legislation which required two keys. One for the user and one that, given a court order, requiring a court order, that you would be able to -- with substantial reason and motivation for doing so -- would want to go into that particular site. What's the problem with that?

Comey: Well, a lot of smart people, smarter than I, certainly, say that would have a disastrous impact on broader security across the internet, which is also part of my responsibility.

McCain: Do you believe that?

Comey: I'm skeptical that we can't find a solution that overcomes that harm. But a lot of serious people say "ah, you don't realize, you'll rush into something and it'll be a disaster for your country. Because it'll kill your innovation, it'll kill the internet." That causes me to at least pause and say "well, okay, let's talk about it."

At which point McCain totally ignores that point to go back to his but we need to do something! mantra.

McCain: But, we've just established the fact that ISIS is rushing in to trying... attempting... to harm America and kill Americans. Aren't we?

Comey: They are.

McCain: So I say with respect to my colleagues, and their advocacy for our constitutional obligations and rights, that we're facing a determined enemy who is, as we speak -- according to you and the director of Homeland Security -- seeking to attack America, destroy America and kill Americans. So it seems to me that the object should be here, is to find a way not only to protect Americans' rights, but to protect American lives. And I hope that you will devote some of your efforts -- and I hope that this Committee... and I hope the Congress will -- understand the nature of this threat. And to say that we can't protect Americans' Constitutional rights in the same time protect America, is something that I, simply, won't accept.

Except, we can protect Americans' Constitutional rights and, at the same time, protect America: by enabling strong encryption that better protects the security and privacy of everyone, without adding unnecessary vulnerabilities in the form of government backdoors. McCain completely ignored the rebuttal point that his position actually makes America less safe by opening things up to those who wish to attack us.

Don't we deserve Senators who don't spout pure ignorance, focused on scaring the American public in ways that make us both less safe and take away the Constitutional rights they've sworn to defend?

There were plenty of other ridiculous claims made by Senators in both hearings, but these were the two nutty ones that stuck out for me. We deserve better elected officials.

from the something-must-be-done dept

Senator Sheldon Whitehouse was a strong supporter of the SOPA/PIPA approach to breaking the internet to appease Hollywood. Even as lots of others bailed out on their support of the bills, Whitehouse refused to change his position. It appears he'd like to push such a solution again. On Wednesday, the Senate held hearings for the nominees for both the head of the US Patent and Trademark Office, Michelle Lee, as well as the new "Intellectual Property Enforcement Coordinator" (IPEC), Dan Marti. Marti is a bit of a wildcard, with most of his legal practice related to intellectual property being focused on trademark, rather than copyright. So it was worth paying attention to what he had to say in response to the questions. However the most bizarre and ridiculous question came from Senator Whitehouse, who proved to be rather confused about how both the internet and copyright law worked. You can see the full video here. Whitehouse begins talking around the one hour, 35 minute mark. He kicks it off by displaying his ignorance. First, he refers to Marti's predecessor, Victoria Espinel, and how he had asked her to do more to stomp out piracy, and then launches into a statement almost entirely devoid of factual statements:

I can remember Ms. Espinel coming here, some time ago to talk about the progress she intended to make in dealing with the criminal activity that steals American intellectual property, particularly entertainment content, and provides it to viewers, and that they were going to work really hard, with other American corporations that were supporting that activity to try to knock it down.

So while we were having this hearing, I picked up my iPad, and I went to Google, and I Googled "pirate movie." And Google gave me "The Pirate Bay" [holds up his iPad] which is an illegal enterprise, operating out of Sweden. And if you go to the page where you would get access to the pirate content, it says "get access now" and underneath it you have the flags of Visa, of Mastercard, of American Express, of Cirrus and of Paypal. And below that it tells you all the devices it works on and shows you the logos of Apple, Android, and so forth.

It looks to me like this criminal activity is still being wrapped around with the apparent support of a wide variety of American corporations. [Incredulous expression]. Explain to me how there's been progress made.

Almost everything Senator Whitehouse said in this statement is either wrong or totally clueless. It does not speak well of him as a Senator to be so misinformed about some rather basic things. First, there are the basics. A search engine is not and should not be illegal. Yet, Senator Whitehouse doesn't seem to understand the different role of a system like The Pirate Bay from a site that actually hosts or uploads infringing content. Second, at the time of the hearing, the Pirate Bay is down, so his claims pretending to show the site are clearly a lie. It's been in the news a lot that the site is gone. You'd think some staffer would have told Senator Whitehouse not to use that example.

Third, a Google search on "pirate movie" does not link to The Pirate Bay at all. Here's the search done on Google:

Note that it actually highlights a 1982 movie, and even points people to Amazon where they can purchase it. Nowhere on the page does it point anyone to The Pirate Bay or any other site from which you can download infringing content. Not even close.

Senator Whitehouse appears to be flat out lying about what happens when you do such a search on Google, and then compounding it by lying about going to The Pirate Bay. On top of that, his description of what he claims he saw on The Pirate Bay appears to be totally false as well. And while some of my critics may find this difficult to believe, I've never used the site (other than occasionally reading some of its blog posts) so I reached out, via Twitter, to multiple people who had used the site regularly to see if his description was accurate. None could ever remember seeing credit card logos or Apple/Android logos. And, why would they, really, since the content found on The Pirate Bay was usually just pure files and available for free. So there would be no need to post credit card logos or even device compatibility, since that would depend more on the kinds of apps you used to view/listen/read the files obtained. Yes, there were tons of ads on the site, people point out, but they tended to be for crappy porn sites and the like.

In other words, almost every detail of what Senator Whitehouse describes is a lie. He may be describing some other site, but he didn't find it with the search he described and it wasn't The Pirate Bay. And even if there were logos from American companies, anyone can set up a website with such logos and it means nothing about whether they're complicit.

And then he demands that something must be done?

Marti barely gets half a robotic sentence out in response, saying that "criminal actors, criminal enterprises have no limits" when Whitehouse cuts him off with some more nonsense:

They actually do! [Holds up iPad again] There are ways in which these companies could go to court and try to knock this stuff down. There are ways in which prosecutors can have discussions with companies about aiding and abetting offenses and about being accessories to offenses. There's a lot that can be done in this area, it seems to me!

Marti points out that he was talking about something entirely different -- that sites will of course put up logos to make themselves try to look legit (though he doesn't go so far as to point out that Senator Whitehouse's suggestion that because a site puts up a logo, that doesn't mean the company whose logo was put up isn't "aiding and abetting" a damn thing).

Even more to the point, Whitehouse's claim that companies can "go to court and try to knock this stuff down" also makes no sense. Under what law? What legal issue is there in the (fake) circumstances that Whitehouse describes? At most, there might be a trademark violation, and does he really think it's worth company's time to go after such fly-by-night sites for trademark violations? And the whole "aiding and abetting" claim is ridiculous. Is Senator Whitehouse honestly claiming that if a site that offers up infringing works notes that the works can work on Apple or Android that Apple or Google are "accessories" to a crime? Isn't a Senator supposed to understand the law?

Whitehouse then turns to Michelle Lee, who used to work at Google, but on patent policy, not copyright, and asks her if Google could stop this. Though, again, he's flat out lying about what Google is supposedly doing. It's a bizarre question. And Lee just says she doesn't know the answer to that question (how could she when it makes no sense). Whitehouse gives a sarcastic "Hmm!" in response, as if he's discovered something -- other than actually revealing his astounding ignorance. He further claims that because Lee was a deputy general counsel at Google (again on patents, not copyright issues) that it shows that Google didn't really care about this issue. Really?

Finally, he appears to attack Marti for not having done anything, despite the fact he's not in the job yet, and then claims that all of this proves that the "voluntary" process that Espinel championed (like the ridiculous "six strikes" agreements between some ISPs and the legacy entertainment companies) is not enough. He seems to clearly be hinting that we need more government action, or more SOPA-type laws, based on an entirely false scenario that either he or his staffers (or some... lobbyists) made up and handed to him. Instead, all it shows is him getting angry in a manner that displays his near total ignorance of the topic at hand.

Is it really too much to ask that the people who make the laws impacting technology not be totally ignorant about both the laws and the technology? Frankly, Senator Whitehouse owes Marti, Lee and basically all internet users an apology.

from the shameful dept

One of the more troubling aspects that we've seen in the past few years is that, despite SOPA failing to pass in Congress, thanks to widespread public outcry, various copyright interests have continued to look for ways to push forward ways to implement SOPA in practice, even if not in law. For example, we recently pointed to how the USTR praised Italy for implementing a plan even more draconian than SOPA, likely leading to a later attempt by the USTR to "harmonize" international laws by requiring the US to do the same in a future trade agreement or treaty. Similarly, the US government still continues to do questionable domain seizures that appear to be a clear First Amendment violation. Even more nefarious, however, may be the various attempts by politicians to push for questionable "voluntary agreements" that effectively implement SOPA anyway.

Recently, four members of Congress -- Reps. Bob Goodlatte and Adam Schiff, and Senators Sheldon Whitehouse and Orrin Hatch -- sent an exceptionally questionable letter to various internet ad networks, asking them to start blacklisting "piracy sites." This was one of the requirements in SOPA. And, as we discussed years ago, there are serious problems with such plans. Back in 2011, ad giant GroupM tried to do the same sort of thing, asking Universal Music to provide it with a list of piracy sites, and that list included tons of legitimate sites -- including SoundCloud, Vimeo, the Internet Archive, BitTorrent's corporate page... and a bunch of hip hop blogs. It also included (Universal music artist) 50 Cent's personal website as a piracy site.

And these four members of Congress seem to have no problem with such censorship.

But this letter is even worse than that. Various ad networks have already set up "best practices" for not putting ads on "bad" sites -- but this letter says that's not enough:

We support these steps, but note that much remains to be done to operationalize the
commitments made and to make them effective in preventing the appearance of legitimate ads on
pirate sites, rather than simply responding once they are placed. Best practices are useful, but
greater specificity is needed around preventative measures that participants in the digital
advertising ecosystem can and should take to avoid the placement of ads on piracy sites, as
well as the development of metrics to measure the effectiveness of these steps. Only through
proactive efforts will the harms associated with ad-supported piracy be mitigated.

As the EFF notes, such intimidation by members of Congress raises a whole host of legal problems:

Letting commercial companies with their own competitive motivations decide which sites are "rogue" or "pirate" sites is a recipe for abuse. It means that site owners who comply with copyright law could still have their sources of revenue cut off when a company who might be a competitor asks for it. The legislators' letter doesn't define "online piracy sites," but most of the definitions we've seen lately focus on the number of takedown requests a site has received from copyright holders, or the number of requests sent to search engines about the site. Since just a few companies send out a large portion of the takedown requests, those companies would effectively have the power to control who gets deemed a "piracy site."

As a federal law, this scheme would have created serious First Amendment and due process problems. As a private agreement among competing ad networks, it could raise other legal problems. Under the Sherman Antitrust Act, companies that compete with each other aren't allowed to make a pact amongst themselves about who they will refuse to do business with, especially if the purpose of the pact is to squelch competition or punish a rival. It's called a "group boycott" or "concerted refusal to deal," and it can lead to big-money lawsuits and years of trouble. In some cases, groups of competitors sharing a list of companies that they deem to be bad actors, with a wink-wink understanding that no one in the group should do business with those companies, was deemed a violation of the Sherman Act1.

Claiming that an industry-wide refusal to deal is justified by "fighting piracy" doesn't necessarily avoid an antitrust jam. In 2003, the Motion Picture Association of America decided that its members, major movie studios who compete with one another, would no longer send pre-release "screener" copies of films to members of awards committees like the Motion Picture Academy. According to the MPAA, the group boycott of awards committees was needed to stop infringement of pre-release movies. But the group ban put smaller studios at a huge disadvantage in getting award nominations and votes. In just two months, a court decided that the MPAA's screener ban was likely illegal, and that loss may have precipitated MPAA head Jack Valenti's retirement a few months later.

Once again, we have lawmakers -- with an unfortunately long history of being the movie and recording industry's lapdogs in Congress -- making suggestions that would make those industries happy, but which almost certainly violate the law. And, even worse, they clearly go against the will of the American public, who vocally rejected such measures when they were put into SOPA and PIPA.

Could it be that Reps. Goodlatte and Schiff, and Senators Whitehouse and Hatch, have already forgotten what happened when they pushed for such a law? I can assure them that the American public hasn't forgotten.

from the say-what-now? dept

One of the favorite misleading tricks of supporters of more draconian copyright laws is to put out a report each year about the "size" of "the copyright industries," by the "International Intellectual Property Alliance" (a trade group made up of other trade groups, including the RIAA, MPAA, BSA, ESA, NMPA and others) There are numerous problems with this report. First off, it makes the ridiculously wrong assumption that "the copyright industries" exist solely because of copyright law. That is, they use the size of the numbers to suggest that stronger copyright law is necessary. Yet that's ridiculous. They present no evidence that the industries would be any different size, if copyright law were weaker or stronger. They simply present that as the obvious implication. Furthermore, their definition of what makes up "the copyright industries" is insanely broad, and tends to include plenty of operations who don't actually want stricter copyright laws at all. For example, I'm sure Techdirt technically qualifies under whatever measure they're using. After all, we're a publisher, so technically we're in "the content industries." Yet I can tell you right now that exactly zero percent of our revenue is due to copyright law. That's true of many, many of the companies included as being in "the copyright industries."

Unfortunately, this myth persists that if you add up all of the broadly defined "content industries," it somehow shows why you need stricter copyright. But that makes no sense. If they actually showed a direct causal relationship -- or even any evidence that copyright policy directly drives aggregate revenue, they might have some argument. But they don't go near such things. But it doesn't stop grandstanding around the issue. With the latest release, Senators Sheldon Whitehouse and Orrin Hatch, along with Reps. Bob Goodlatte and Adam Schiff, welcomed the various lobbyists who produced this report (i.e., the heads of the ESA, NMPA, RIAA and MPAA) to cheer on the report and use it to falsely pretend this is proof that more draconian copyright laws are important.

This makes no sense and, frankly, it insults the intelligence of just about everyone, to pretend that total revenue within an industry is the automatic indicator of how policy should be determined for that industry. You determine policies based on deltas, not absolutes.

It gets even worse, when you look at the actual report, which shows the industries in question are doing tremendously well. In fact, as many are noting, the report actually appears to undermine the industry's entire argument that "piracy" is somehow decimating their businesses. Instead -- even through a recession, these companies are making a ton of money, and there's no evidence of significant job losses.

It's a pretty weak move when our Congressional leaders to then take those points, that simply do not support the need for more copyright law in any way... and then use it to support such policies. Each year, of course, CCIA puts out a report that shows that if that's how you're going to calculate "the copyright industries," it's only fair to use the same methodology to calculate the industries that are built from "exceptions to copyright law," which turns out to be significantly larger than "the copyright industries." So if any of the elected officials praising this latest report are intellectually honest, they should actually be advocating for weaker copyright laws. After all, the same methodology shows that exceptions to copyright law contribute much more to the economy than copyright law itself.